1

We're trying to deploy OpenStack on hardened Debian-based Linux distro via Kolla-ansible and we seem to be almost done but facing the issue with the nova_compute container which complaints:

2021-09-12 08:56:34.365 7 INFO nova.virt.libvirt.driver [-] Connection event '0' reason. 
 'Failed to connect to libvirt: Unable to query peer security context: No data available

and restarts permanently.

Here are relevant config snippets:

(venv) root@server11:~# grep nova /etc/kolla/globals.yml 
nova_backend_ceph                  : "yes"
nova_compute_virt_type             : "qemu"
(venv) root@server11:~# cat /etc/kolla/config/nova/nova-compute.conf 
[libvirt]
virt_type=qemu
cpu_mode = none
(venv) root@server11:~#

Tried to figure out the root cause myself, read the docs, googled but to no avail, so any suggestions on how to fix the issue will be highly appreciated.

djdomi
  • 1,377
  • 3
  • 10
  • 19
Alex Vrublevskiy
  • 11
  • 2

1 Answers1

0

This error message means that the getpeercon() method failed. This method is only run it libvirt is built with SELinux support. The "No data available" return value suggests perhaps SELinux is turned off, but that should already have been caught by the "ENOSYS" / "NOPROTOOPT" checks.

DanielB
  • 1,510
  • 6
  • 7
  • Thanks, DanielB! Neither host distro (Astra Linux, hardened Debian 9 derivative) nor containers' base image (Ubuntu) have nothing to do with SELinux. Bearing in this in mind, did I understand correctly according to your answer the way to work around the issue is to customize Kolla-ansible in nova_libvirt part to use libvirt built without SELinux support? – Alex Vrublevskiy Sep 13 '21 at 10:43
  • Astra Linux has replaced SELinux with its own unique mandatory access control system. That may be why libvirt has gotten confused? In any case, a build of libvirt and its related packages without SELinux support seems like the way to go. – Michael Hampton Sep 13 '21 at 16:14